(define-module (nbde system kexec-installer) #:use-module (gnu) #:use-module (gnu packages) #:use-module (gnu packages base) #:use-module (gnu packages compression) #:use-module (gnu packages cryptsetup) #:use-module (gnu packages disk) #:use-module (gnu packages file-systems) #:use-module (gnu packages linux) #:use-module (gnu packages package-management) #:use-module (gnu packages ssh) #:use-module (gnu services networking) #:use-module (gnu services ssh) #:use-module (guix gexp) #:use-module (nbde system kexec-initrd) #:use-module (nbde packages crypto) #:export (make-kexec-installer-os kexec-installer-os)) (define %kexec-installer-shell-packages (map specification->package '("bash-minimal" "coreutils" "diffutils" "findutils" "gawk" "grep" "gzip" "inetutils" "iproute2" "less" "nss-certs" "procps" "rsync" "sed" "tar" "which" "xz"))) (define %kexec-installer-packages ;; Keep the live image intentionally thin. This environment only needs ;; enough tooling to repartition disks, format ext4/FAT, configure LUKS, and ;; run the remote Guix installer flow after the kexec handoff. (append %kexec-installer-shell-packages (list guix clevis cryptsetup dosfstools e2fsprogs gptfdisk kexec-tools kmod parted util-linux))) (define %kexec-installer-initrd-modules '("ahci" "dm-crypt" "fat" "loop" "nls_cp437" "nls_iso8859-1" "nvme" "overlay" "sd_mod" "squashfs" "vfat" "virtio_blk" "virtio_console" "virtio_net" "virtio_pci" "virtio_scsi")) (define* (make-kexec-installer-os #:key (host-name "guix-kexec") (timezone "Etc/UTC") (locale "en_US.UTF-8") (kernel-arguments '("console=ttyS0,115200n8" "net.ifnames=0" "panic=30" "loglevel=4")) (extra-packages '()) (extra-services '())) (operating-system (host-name host-name) (timezone timezone) (locale locale) (keyboard-layout (keyboard-layout "us")) (label "Guix kexec installer") (initrd-modules %kexec-installer-initrd-modules) (initrd kexec-installer-initrd) (kernel-arguments kernel-arguments) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '()))) (file-systems (cons (file-system (device "tmpfs") (mount-point "/") (type "tmpfs") (check? #f)) %base-file-systems)) (packages (append extra-packages %kexec-installer-packages)) (services (append (list (service dhcpcd-service-type) (simple-service 'kexec-launch-authorized-keys activation-service-type (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (let ((source "/etc/guix-kexec/authorized_keys/root") (target-dir "/root/.ssh") (target "/root/.ssh/authorized_keys")) (when (file-exists? source) (mkdir-p target-dir) (copy-file source target) (chmod target-dir #o700) (chmod target #o600)))))) (service mingetty-service-type (mingetty-configuration (tty "ttyS0") (auto-login "root") (login-pause? #f))) (service mingetty-service-type (mingetty-configuration (tty "tty1") (auto-login "root") (login-pause? #f))) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (port-number 22) (permit-root-login 'prohibit-password) (extra-content "AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u /etc/guix-kexec/authorized_keys/%u") (password-authentication? #f)))) extra-services (modify-services %base-services (delete console-font-service-type) (delete agetty-service-type) (delete mingetty-service-type)))))) (define kexec-installer-os (make-kexec-installer-os))